IP Intelligence
Advanced IP Defense classifies publicly routable IPv4 addresses using dynamic,
cloud-sourced attributes organized into seven categories.
The Advanced IP Defense cloud service continuously evaluates publicly routable IP
addresses and assigns security attributes based on observed behavior, infrastructure
ownership, and threat intelligence. Each attribute has a defined lifespan (TTL) that
determines how long it remains active without new evidence. The Advanced IP Defense cloud service sets and
unsets attributes immediately when positive or negative evidence is observed, keeping
verdicts current and reducing the false positives common with static IP feeds.
Attributes are organized into seven categories. You reference these categories and their
individual tags when building match rules in an Advanced IP Defense security
profile.
| Category | Tags | Description |
|---|
| Anonymizers and Proxies | Tor Exit Node, Open Proxy, Private Proxy, Commercial VPN | IP addresses associated with anonymizing services that mask the true
origin of traffic, including Tor exit nodes, open and private proxy
servers, and commercial VPN endpoints. |
| Netblock Owner | CDN, AWS Cloud, GCP Cloud, Azure Cloud, OCI Cloud, Public Cloud,
Residential ISP | Infrastructure classification based on the registered owner of the IP
address block. Use these tags to build rules that differentiate between
cloud-hosted, CDN-hosted, and residential traffic. |
| Abuse | Scanning and Brute-force | IP addresses actively conducting scanning or brute-force activities
confirmed with solid evidence. |
| Malware and C2 | Malware C2, Malware Download, In Shellcode, Malware Communicated,
Hardcoded in Malware | IP addresses linked to malware distribution, command-and-control
communication, exploitation payloads, or sandbox-observed
connections. |
| High Risk | Bulletproof Hosting | IP addresses or subnets belonging to bulletproof hosting
infrastructure that knowingly shelters malicious content and resists
takedown requests. |
| Direct to IP | (No individual tags) | Connections made directly to an IP address without a preceding DNS
resolution. This category is unique because it reflects connection
behavior rather than a static IP attribute. |
| Vulnerable Services | Exposed Vulnerable Service | Publicly reachable services on IP addresses that are vulnerable to
known CVEs or exploits. |
Attributes are assigned per IP address, not per subnet. Threat-related attributes
(Anonymizers and Proxies, Abuse, Malware and C2, High Risk, Vulnerable Services) use
shorter TTL values to stay current with rapidly changing threats, while infrastructure
attributes (Netblock Owner) use longer TTL values because they change less
frequently.
The category and tag definitions are delivered through the PAN-OS content
update package. When Palo Alto Networks adds new categories or tags, you receive them
through a content update and they become available in the profile configuration UI without
a PAN-OS upgrade.
